1. Homework #4 Solutions Brian A. LaMacchia bal@cs.washington.edu bal@microsoft.com Portions © 2002-2006, Brian A. LaMacchia. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.

2. January 31, 2006Practical Aspects of Modern Cryptography2 Question 1a  Question 1(a): Compute the relative cost of RSA encryption to RSA decryption in SSL in terms of modular multiplications mod n. The server’s public key is (n, e), where n is a 1024-bit composite, n = p*q (p, q 512-bit primes), and e = 2 16 +1. The server’s public key is (n, e), where n is a 1024-bit composite, n = p*q (p, q 512-bit primes), and e = 2 16 +1. The server’s private decryption exponent is d where ed  1 mod (p-1)(q-1). Assume for this problem that half the bits in d are 1’s and |d| = 1024. The server’s private decryption exponent is d where ed  1 mod (p-1)(q-1). Assume for this problem that half the bits in d are 1’s and |d| = 1024.

3. January 31, 2006Practical Aspects of Modern Cryptography3 Question 1a  Recall Josh's description of how to multiply fast Follow the bits in the exponent (high to low, ignoring the high bit since it's always 1), a 0 is a square and a 1 is a square followed by a side multiply. Follow the bits in the exponent (high to low, ignoring the high bit since it's always 1), a 0 is a square and a 1 is a square followed by a side multiply. So the cost of exponentiating is determined by the size of the exponent and the number of 1 bits it has. So the cost of exponentiating is determined by the size of the exponent and the number of 1 bits it has.  The cost of encrypting (exponentiating to e) is thus going to involve 16 squares and 1 side multiply, since |e| = 17 and has only the high & low bit set.  The cost of decrypting (exponentiating to d) is going to involve 1023 squares and 511 side multiplies (because |d| = 1024 and half the bits in d are 1s).

4. January 31, 2006Practical Aspects of Modern Cryptography4 Question 1b - Rebalanced RSA  n = pq, |p| = |q| = 512, p, q prime  Server chooses the decryption exponent d first such that d  r1 mod p-1, d  r2 mod q-1, |r1| = |r2| = 160 d  r1 mod p-1, d  r2 mod q-1, |r1| = |r2| = 160 Assume half the bits in r1 & r2 are 1s Assume half the bits in r1 & r2 are 1s  The server then computes e such that ed  1 mod (p-1)(q-1). |e| = 1024, assume half the bits in e are 1s |e| = 1024, assume half the bits in e are 1s  Encryption E(X) = X e mod n  Decryption D(X) is now done by computing X r1 mod p, X r2 mod q, and using CRT to construct X d mod n.

5. January 31, 2006Practical Aspects of Modern Cryptography5 Question 1b  Question 1(b): Compute the relative cost of RSA encryption to RSA decryption in the Rebalanced RSA case for |n| = 1024, |r1| = |r2| = 160, again in terms of modular multiplications in the exponentiations.  What’s the speedup for a server compared to the “regular” RSA in Question 1(a)?

6. January 31, 2006Practical Aspects of Modern Cryptography6 Question 1b  We proceed as in 1(a), looking at the sizes and number of 1 bits in the various exponents.  Encrypting: e is now "full size“, so |e| = 1024 and half the bits in e are 1s Computing X e mod n will involve 1023 squares and 511 side multiplies Computing X e mod n will involve 1023 squares and 511 side multiplies  Decrypting: we need to compute X r1 mod p and X r2 mod q. |r 1 | = |r 2 | = 160 (by definition), and each has 80 1 bits. |r 1 | = |r 2 | = 160 (by definition), and each has 80 1 bits. Each exponentiation will involve 159 squares and 79 side multiplies. So together, the server has to perform 318 squares and 158 side multiplies. Each exponentiation will involve 159 squares and 79 side multiplies. So together, the server has to perform 318 squares and 158 side multiplies.

7. January 31, 2006Practical Aspects of Modern Cryptography7 Question 1b  Just comparing the number of exponentiations, we've reduced the server's workload from 1023 squares & 511 side multiplies to 318 squares and 158 side multiplies, which is about a 3.2X speedup for the server. Plus, the server gets to do these calculations mod p and mod q, which means it's dealing with smaller numbers. Plus, the server gets to do these calculations mod p and mod q, which means it's dealing with smaller numbers.  The client is a lot slower. 1023 squares and 511 side multiplies vs. 16 squares and 1 side multiply in 1(a). 1023 squares and 511 side multiplies vs. 16 squares and 1 side multiply in 1(a).

8. January 31, 2006Practical Aspects of Modern Cryptography8 Question 2 – IPSEC cost  C sends data to S in packets of varying length; for each packet S and C have to perform an IKE key establishment once to agree on a symmetric encryption key, and then perform repeated symmetric encryptions until the entire packet is encrypted.  Assume the following performance characteristics for C’s encryption capabilities: C can perform IKE key establishment with S in 25,000  s to derive a symmetric encryption key for the session. C can perform IKE key establishment with S in 25,000  s to derive a symmetric encryption key for the session. C can perform a single symmetric encryption operation on a 16-byte plaintext in 0.25  s. C can perform a single symmetric encryption operation on a 16-byte plaintext in 0.25  s.

9. January 31, 2006Practical Aspects of Modern Cryptography9 Question 2a  Question 2(a): If the average packet of data sent from C to S is 1KB (1024 bytes) in length, what’s the maximum bandwidth that can be achieved between C and S?  Encrypting each packet requires one IKE key establishment and some number of symmetric encryption operations. Bandwidth = bits/second Bandwidth = bits/second

10. January 31, 2006Practical Aspects of Modern Cryptography10 Question 2a - Solution  For a 1K packet, we need one IKE + (1K/16) block encryptions The IKE takes 25000  s The IKE takes 25000  s The block encryptions take 64*.25  s = 16  s The block encryptions take 64*.25  s = 16  s The total time is 25016  s, and we’ve processed 1K bytes in that time, or about 40933 bytes/sec. The total time is 25016  s, and we’ve processed 1K bytes in that time, or about 40933 bytes/sec.

11. January 31, 2006Practical Aspects of Modern Cryptography11 Question 2a - Solution  But wait, what about the additional bytes ESP adds? No effect on bandwidth limits from encryption, but ESP does add overhead, so it’s fair to look at that cost too. No effect on bandwidth limits from encryption, but ESP does add overhead, so it’s fair to look at that cost too.  We don’t know the actual wire speed, but we know that ESP adds some bytes to each packet. Assume 56 bytes added to each packet Assume 56 bytes added to each packet So we have to send 1024+56 = 1080 bytes to actually transmit 1024 data bytes. So we have to send 1024+56 = 1080 bytes to actually transmit 1024 data bytes. 1080/1024 = 1024/X  X = 970.9 bytes 1080/1024 = 1024/X  X = 970.9 bytes 970.9 bytes in 25016  s = 38811 bytes/sec 970.9 bytes in 25016  s = 38811 bytes/sec

12. January 31, 2006Practical Aspects of Modern Cryptography12 Question 2b  Question 2(b): Now assume the average packet is 100KB; what’s the maximum achievable bandwidth?  What’s the maximum bandwidth in the limiting case (i.e. one persistent session with an infinite-length packet to be sent)?

13. January 31, 2006Practical Aspects of Modern Cryptography13 Question 2b - Solution  For a 100K packet, we need one IKE + (1K/16) block encryptions The IKE takes 25000  s, 100K = 102400 bytes The IKE takes 25000  s, 100K = 102400 bytes (100K/16) block encryptions take (100K/16)*.25  s = 6400*.25  s = 1600  s (100K/16) block encryptions take (100K/16)*.25  s = 6400*.25  s = 1600  s Total time: 26600  s, or about 3,849,624 bytes/sec. Total time: 26600  s, or about 3,849,624 bytes/sec. Adding in 56 header bytes, we have to send 102456 bytes instead of 102400 bytes. Adding in 56 header bytes, we have to send 102456 bytes instead of 102400 bytes. 102456/102400 = 102400/X  X = 102344 bytes 102456/102400 = 102400/X  X = 102344 bytes 102344 bytes in 26600  s = 3,847,518 bytes/sec 102344 bytes in 26600  s = 3,847,518 bytes/sec  In the limit, the limiting factor is that it takes.25  s to encrypt 16 bytes, so that's an upper limit of 64,000,000 bytes/sec.

14. January 31, 2006Practical Aspects of Modern Cryptography14 Question 3 – KDC Eavesdropping  KDC, S and C are members of the same Kerberos realm  When C obtains a ticket for S, KDC assigns ephemeral key K C,S  KDC knows K C,S and can eavesdrop on all traffic protected with K C,S  Assume KDC is passive (i.e. KDC cannot modify messages it sees on the wire).  Question 3(a): Show how C and S can establish key K’ known only to them

15. January 31, 2006Practical Aspects of Modern Cryptography15 Question 3a  Key establishment is easy, right? All we have to do is have C and S perform a Diffie-Hellman key exchange.

16. January 31, 2006Practical Aspects of Modern Cryptography16 Question 3a  Key establishment is easy, right? All we have to do is have C and S perform a Diffie-Hellman key exchange.  But how do C and S know they’re talking to each other while doing so?

17. January 31, 2006Practical Aspects of Modern Cryptography17 Question 3a  Key establishment is easy, right? All we have to do is have C and S perform a Diffie-Hellman key exchange.  But how do C and S know they’re talking to each other while doing so?  One of the benefits of Kerberos is that it give you mutual authentication “for free” C and S authenticate each other as a side- effect of running the Kerberos protocol. C and S authenticate each other as a side- effect of running the Kerberos protocol.

18. January 31, 2006Practical Aspects of Modern Cryptography18 Question 3a  Key establishment is easy, right? All we have to do is have C and S perform a Diffie-Hellman key exchange.  But how do C and S know they’re talking to each other while doing so?  One of the benefits of Kerberos is that it give you mutual authentication “for free” C and S authenticate each other as a side- effect of running the Kerberos protocol. C and S authenticate each other as a side- effect of running the Kerberos protocol.

19. January 31, 2006Practical Aspects of Modern Cryptography19 Question 3a  So one way to solve the problem is to add mutual authentication to Diffie-Hellman. Here’s how:  First, have C and S run the Kerberos protocol to obtain shared secret K C,S (known to C, S and the KDC).  Now have C and S run ephemeral Diffie-Hellman (using some common set of parameters).  Initialization: each party (C and S) chooses a secret exponent (a and b respectively) C computes A = g a mod p, S computes B = g b mod p C computes A = g a mod p, S computes B = g b mod p  C  S: A, HMAC-SHA1(A, K C,S ). S verifies the keyed MAC and knows that A really came from C. S verifies the keyed MAC and knows that A really came from C.  S  C: B, HMAC-SHA1(B, K C,S ). C verifies the keyed MAC and knows that B really came from S. C verifies the keyed MAC and knows that B really came from S.  C computes B a mod p to get K’ = g ab mod p.  S computes A b mod p to get K’ = g ab mod p.  Now C and S hold a new shared secret, K’, which is unknown to the KDC. C and S used K C,S to authenticate a later, public key-based exchange. C and S used K C,S to authenticate a later, public key-based exchange.

20. January 31, 2006Practical Aspects of Modern Cryptography20 Question 3b  What happens if the KDC is active?

21. January 31, 2006Practical Aspects of Modern Cryptography21 Question 3b  What happens if the KDC is active?  If the KDC is active then it can intercept messages, rewrite A & B to A' and B' and conduct a man-in-the- middle attack.

22. January 31, 2006Practical Aspects of Modern Cryptography22 Man-in-the-Middle  An active KDC can play a man-in-the- middle attack. KDC can also defeat the modified D-H in 3(a) because it knows K C,S KDC can also defeat the modified D-H in 3(a) because it knows K C,S Server S Client C KDC g a’ mod p g a mod p g b mod p g b’ mod p Negotiated key: g ab’ mod p Negotiated key: g a’b mod p

23. January 31, 2006Practical Aspects of Modern Cryptography23 Question 3c (Extra Credit)  Assume C and S are jointly members of two independent Kerberos realms: Realm 1: KDC1, yielding key K C,S,1 Realm 1: KDC1, yielding key K C,S,1 Realm 2: KDC2, yielding key K C,S,2 Realm 2: KDC2, yielding key K C,S,2  Assuming that KDC1 and KDC2 do not collude with each other, devise a protocol between C and S to create an encrypted channel that is secure against active eavesdropping from both KDC1 and KDC2.  > 3c) With two independent keys, so long as the KDCs don't collude they can't play man- in-the-middle.

24. January 31, 2006Practical Aspects of Modern Cryptography24 Question 3c (Extra Credit)  With two independent keys shared between C and S, so long as the KDCs don't collude neither can perform a man-in-the-middle attack. “Independent” here means “Neither key is known to both KDC1 and KDC2”. “Independent” here means “Neither key is known to both KDC1 and KDC2”.  Solution: as in 3(a) above, but use both keys in the HMAC authenticators Neither KDC1 or KDC2 knows both, so even if they’re active they can’t switch messages on C or S Neither KDC1 or KDC2 knows both, so even if they’re active they can’t switch messages on C or S

25. January 31, 2006Practical Aspects of Modern Cryptography25 Question 3c  C and S run Kerberos in both realms, obtaining K C,S,1 and K C,S,2  Now have C and S run ephemeral Diffie-Hellman (using some common set of parameters).  Initialization: C computes A = g a mod p, S computes B = g b mod p  C  S: A, HMAC-SHA1(A, K C,S,1, K C,S,2 ). S verifies the keyed MAC and knows that A really came from C. S verifies the keyed MAC and knows that A really came from C.  S  C: B, HMAC-SHA1(B, K C,S,1, K C,S,2 ). C verifies the keyed MAC and knows that B really came from S. C verifies the keyed MAC and knows that B really came from S.  C computes B a mod p to get K’ = g ab mod p.  S computes A b mod p to get K’ = g ab mod p.  Now C and S hold a new shared secret, K’, which is unknown to the KDC.